Rogues Impersonate Google, Firefox Security Alerts

In the past week, we’ve begun to see new fakealerts — those disturbingly effective, entirely bogus “virus warning” messages — that appear to impersonate the appearance and text of legitimate warning dialogs you might see while surfing with the Firefox browser, or searching Google. The dialog, in a stern, red dialog box on a gray background, reads “Warning! Visiting this site may harm your computer!” — a dialog that appears to be designed to evoke the look of a Google’s Safe Browsing advisory as displayed in Firefox.

Cast as a kind of split between a warning message and a clickwrap agreement, the text of the dialog box reads “This web site probably contains malicious software program, which can cause damage to your computer or perform actions without your permission. Your computer may be infected after visiting such web site. We recommend you to install (or activate) antivirus security software.”

At the bottom of the dialog box, two buttons, labeled “Continue Unprotected” and “Get security software” are preceded by the sentence “I do realize that visiting this site can cause harm to my computer.” I’d give them points for honesty, but I’d rather not give them points for anything.

Nothing happens when you click the “Continue Unprotected” button, and I’ll give you one guess what happens next when you click the “Get security software” button.

The apparently Ukrainian operators of this scam are using the domain name MalwareURLBlock.com as their base of operations. Security enthusiasts might have noticed that this domain is confusingly similar to malwaredomainlist.com, or the less well known malwareurl.com, both of which provide, as a free service, feeds of URLs known to host malware in order to help others block those domains, and for research.

A legitimate Google Safe Browsing alert message

Beyond the dialog box, you’re presented with a page for something called Personal Antivirus which, if you couldn’t guess, is a rogue security product. Unlike most rogues, however, you’re not given the opportunity to download a demo version, free scan, or some other example of software smoke-and-mirrors. You’re merely presented with a page that offers the software for purchase at the low, low price of $59.95 (a savings of $33.30 off the already extortionate price for absolutely useless software).

The page even alerts you that “you have an exclusive 40% discount, since US citizens are our most frequent buyers.” Be still my beating heart. And in case you worried that you’d be billed for updates, the page also reassures you that “This is a one-time charge. Your credit card will never be rebilled and you will receive UPGRADES FOR FREE!” (emphasis scumbag)

Clicking the buy button on that page takes you to the order form, where the plot thickens. Somehow, the one-year license, listed at $59.95, with no other “purchases,” totals up to “79.9” at the bottom of the form.

The form also reassuringly features a graphic of a padlock and the words “secure payments” in the upper right corner, because everyone knows that pictures of padlocks — even in the absence of a secure HTTP connection or any semblance of legitimacy — means everything is just hunky-dory. Now fork over your Mastercard.

The bottom of the order form also states that “Your IP address is logged for fraud prevention” and “Fraud will be prosecuted to the fullest extent of the law.” The extent of which, in this case, does not reach to Ukraine, where the scam artists reside and spend their days counting the cash rolling in.